*NEWS*CYBER CROOKS BREAK INTO ONLINE ACCT

[Anonymous]

Cyber crooks break into online accounts with ease
GASTONIA,
N.C. – When he logged on to his Ameritrade account earlier this year,
George Rodriguez caught a cybercrook in the act of cleaning out his
retirement nest egg.
He
watched, horrified, as the intruder in quick succession dumped $60,000
worth of shares in Disney, American Express, Starbucks and 11 other
blue-chip stocks, then directed a deposit into the online account of a
stranger in Austin.
“My entire portfolio was being sold out right
before my eyes,” recalls Rodriguez, 41, a commercial real estate broker
who alerted Ameritrade in time to stop the trades.
Rodriguez had
just experienced a tech-savvy consumer’s worst nightmare. But it’s the
reality of the digital world we live in: Everyone is now at risk of
becoming the victim of an Internet-based crime – even folks who stay
offline. And, once victimized, you can face more trouble than you might
imagine.
Many consumers and small-business owners naively believe
online transactions are safe if they use a firewall, keep anti-virus
software updated and follow security tips posted on banking websites.
Not
so, Internet security experts and federal regulators say. “What banks
don’t tell you is how easy it is to bypass those protections, and how
prolific the threat is, because then you wouldn’t do online banking,”
says Peter Vogt, a board member of Information Systems Security
Association, an international group of tech security professionals.
Over
the past two years, banks, credit card companies and credit agencies
have made everything from changing a billing address to extending
credit and transferring large sums easy to do online.
That has
created fresh opportunities for swindlers and hackers, say dozens of
banking and Internet-security executives, analysts, consultants,
researchers and regulators interviewed by USA TODAY over the past four
months.
      Exploiting accounts         
Federal regulators are
cognizant of the biggest blind spot: To gain access to most online bank
accounts, you need nothing more than a user name and a password.
Bank
of America told USA TODAY that it plans to require extra log-on steps
for all Internet customers by early next year. It will become the first
major U.S. bank to add another level of authentication, as banking and
tech-security experts debate how to best balance convenience and
security.
The Federal Financial Institutions Examinations Council
last month called on all banks to toughen log-on procedures by the end
of 2006. But the council, a consortium of five federal banking
agencies, stopped short of specifying how to do that.
“No one knows what the right answer is yet,” says Unisys banking security consultant John Pironti.
‘They said it was safe’
The
case of small-businessman Joe Lopez, closely watched in banking and
legal circles, has emerged as a microcosm of e-commerce at a crossroads.
The
bootstrap founder of Ahlo, a thriving Miami-based ink and toner
cartridge wholesale business, Lopez says he opened a Bank of America
online business account in October 2003 after being cajoled by bank
representatives on more than 20 different visits to his local branch.
“They said it was safe,” Lopez, 42, recalls from his office in a gritty
industrial neighborhood.
In April 2004, moments after logging on to
his online account at work, Lopez spotted an entry revealing that
someone had executed an electronic transfer of $90,348.65 to Parex Bank
in Riga, Latvia. Lopez knew no one in Latvia. “I thought I was going to
vomit,” he recalls.
The next day, according to bank records, a
mysterious figure named Yanson Arnold withdrew $20,000 in cash from
Parex Bank, leaving $70,348.65 behind. Arnold has not been heard from
since.
Secret Service investigators later discovered someone had
slipped a Trojan – a small bit of malicious code – past the firewall
and anti-virus software Lopez assumed kept his computer protected. The
Trojan, called Coreflood, had captured and transmitted Lopez’s user
name and password to a data thief, who probably sold it to Arnold or
his associates.
Bank of America disavowed responsibility, prompting
Lopez to sue the bank in federal court in Miami to get his money back.
“We fully investigated his claims and determined that all of our
internal protocols and security measures were in place,” says Shirley
Norton, a Bank of America spokeswoman.
In its defense, the bank has
invoked an obscure section of the Uniform Commercial Code, state laws
governing commercial contracts, which banks helped draft. It limits
liability in delivering online services to businesses if certain
safeguards are in place.
Norton says the bank considers Lopez a
business customer doing commercial transactions, not a consumer doing
household banking. Consumers are protected by federal laws that limit
their fraud losses in most cases to $50. They must report discrepancies
promptly and generally be able to show wrongdoing.
“It’s a bank’s way of saying, ‘It’s the customers’ fault,’ ” says Gail Hillebrand, a senior attorney at Consumers Union.
Legal
experts say BofA’s stance makes sense. It is refusing to expose itself
to liability arising from the countless malicious programs that infest
PCs used by small companies, over which the bank has no control. Such
exposure could force financial institutions to curtail online services
being pitched to small firms, a promising growth area.
No trial date
has been set for the case. If BofA prevails, it will reinforce the
Uniform Commercial Code as a legal rampart financial institutions can
use to fend off similar lawsuits. “Making Lopez whole could open BofA
to settling lots of other breaches, and that adds up to a lot of
money,” says Mark Budnitz, a law professor at Georgia State.
Meanwhile,
Lopez, now a First Bank of Miami customer, faxes wire-transfer requests
to the bank using a form letter. He follows up with a phone call. “No
more online transactions for me, man,” he says.
Stealthy exploits
While
financial industry executives acknowledge the Internet’s security
pitfalls, they say they have been mindful of minimizing risks to
consumers and small businesses. Of the $1.3 trillion in transactions
done with Visa credit cards in 2004, only 0.05%were fraudulent, the
same Level as 2003, and down from 0.07%in 2002. Visa does not break out
online transactions.
“Online banking is safe and getting safer,” says Doug Johnson, senior policy analyst at the American Bankers Association.
Indeed,
consumer financial fraud has been around as long as checking accounts
and credit cards, and banks already do plenty to stop fraud. But
e-commerce has opened virgin criminal frontiers. “In the past,
everything was much more traceable,” says Gartner banking analyst
Avivah Litan. “Now you can open 10,000 (bogus) accounts in the time it
used to take to open one, all in a faceless InternET
More than half
of Bank of America’s retail banking customers also bank online. A look
at the top five online banks by estimated number of customers (in
millions):
Stopping mailbox thieves and check kiters in the physical
world is one thing. But modeling the threat posed by crime groups using
the Internet to commit fraud electronically, on a global scale, has
proved to be much more complex.
For one thing, electronic thievery
is difficult to measure. When crooks get away with an online scam,
banks often misclassify the pilfered funds as uncollectible debt. That
masks the level of online fraud, says Litan, while “making it easier
for the criminals to escape the law.”
What’s more, there is little
urgency for banks to measure cybercrime precisely. Online banking
services are still in a nascent phase, representing less than $200
billion of the trillions of dollars of transactions banks handle each
year.
Coreflood could have gotten on Lopez’s PC several different
ways. It is one of many tried-and-true tools ID thieves use to harvest
user names, passwords, Social Security numbers, account numbers and
other personal data.
Anti-virus, anti-spyware and firewall defenses
offer limited protection, primarily blocking the known malicious
programs relentlessly blasting across the Internet, seeking unprotected
PCs.
But elite identity data thieves have shifted to smaller-scale,
more stealthy exploits, often aimed at compromising 1,000 or so PCs a
day, says Joe Hartmann, director of anti-virus research at Trend Micro.
Over time they can infect millions of machines but go completely
undetected.
Some specialist hackers focus on finding new ways to
attach Trojans to free, downloadable music, pornography and gambling
files found across the Internet. Others hide Trojans on popular
websites or in e-mail attachments. Downloading a tainted file, visiting
a contagious Web page or opening a viral attachment can load a Trojan.
Meanwhile,
phishing scammers seem to have endless creativity when it comes to
crafting e-mail to trick even computer-savvy individuals into divulging
sensitive account information at counterfeit websites. The best and
brightest coders can make good money deploying “SQL Injection” attacks.
These are aimed at tricking a Web page linked to a company database
into giving up sensitive employee and customer data.
Low-tech heists
work, too. Larcenous company insiders can get paid top dollar to assist
in pilfering directly from company databases. For his new book, The
Insider, A True Story: Sometimes Security is About Keeping An Eye On
Those We Trust Most, Dan Verton examined network traffic at 50 large
companies and government agencies.
In two days spent at each
organization, he found 6,000 instances of names, Social Security
numbers, credit card numbers, tax ID numbers, private health care
information, payroll data and bank account information being
transmitted, without authorization, to unknown locations on the
Internet or to private e-mail accounts.
Verton says his findings
suggest similar breaches may be taking place at an epidemic level
across e-commerce, with insiders diverting vast amounts of valuable
data to criminal circles.
In short, if our personal information
resides in any database anywhere, it can become a target, even if you
prefer to write checks and patronize bricks-and-mortar banks and stores.
‘This stuff happens’
Apart
from data thieves, another kind of crook specializes in converting the
stolen ID data into goods and cash, using the Internet as a
communications and distribution network.
      Surge in attacks         
Phishing: 73 million adults say they’ve received at least 50 phishing e-mails in the last 12 months.
Spyware: 80% of consumer PCs are infected with spyware.
Blended attacks: 63% of large companies say their main security concern is the increasing complexity of cyberattacks.
Corporate
losses: 639 of 700 companies and government agencies surveyed lost $31
million worth of proprietary data and spent $43 million to clean up
computer viruses.
Consumer risk: 13% of all Internet users have had
a member of their household victimized by identity thieves, and 41% say
they are buying less online due to security threats.
Sources:
Gartner Research, June 2005; Web root, 2005 State of Spyware report;
Deloitte 2005 Global Security Survey; CSI/FBI 2005 Computer Crime and
Security Survey; Conference Board Research Center, 2005.
“The market
is becoming more sophisticated,” says Jim Melnick, former analyst for
the Defense Intelligence Agency, now director of threat intelligence at
security firm iDefense. “There’s more differentiating of roles and
services to streamline and accelerate cybercriminal activity.”
The
most widely cited measure of cybercrime activity comes from a
2-year-old Federal Trade Commission consumer survey, the first of its
kind, which placed the number of Americans victimized by identity
thieves at 10 million in 2003, with consumers losing $5 billion and
businesses $48 billion.
The FTC plans to redo its identity theft
survey early next year, and the results are expected to reinforce
anecdotal evidence that cybercrime has intensified.
George
Rodriguez, the North Carolina commercial real estate broker, doesn’t
need a government study to tell him the threat is increasing. When
Rodriguez spotted a cybercrook attempting to transfer proceeds from his
Ameritrade portfolio to a consumer account at Bank of America, he
quickly called authorities to cut short the stock trades before they
were settled.
But the experience left him wondering what might have
happened if he had been on vacation or simply not using his computer
that day.
A local detective identified the BofA account owner as Kevin Maguire, a 53-year-old corporate travel manager from Austin.
Contacted
by USA TODAY, Maguire said he “has no idea” what happened to his bank
account. He says BofA informed him of the incident, but said little
else. “They just told me this stuff happens,” Maguire says.
Investigators
say cyberthieves probably intended to use Maguire’s compromised account
to launder Rodriguez’s cash. To misdirect authorities, thieves
typically transfer funds a number of times culminating in a cash
withdrawal.
Dealing with the fallout of a cybercrime can be
frustrating. Most banks espouse policies of making restitution to
consumers who fall prey to online fraud, if the crime is reported
within 60 days.
But that is not uniform. Ameritrade, which declined
comment to USA TODAY, told Rodriguez in a short letter that it would
unravel the bogus stock trades “as a one-time courtesy to you. …
Going forward, you are responsible for any transactions placed in your
account.”
“They treated me as if I screwed up,” Rodriguez says, looking at the letter, shaking his head

[Author]

November 11, 2005 at 10:28 AM